UPDATE: Yahoo 'taking immediate action' as hackers dump 450K passwords online

Less than five per cent of stolen accounts had active passwords, says Yahoo

Yahoo has now provided Computing with updated comment. The statement reads:

"At Yahoo we take security very seriously and invest heavily in protective measures to ensure the security of our users and their data across all our products. We confirm that an older file from Yahoo Contributor Network (previously Associated Content) containing approximately 450,000 Yahoo and other company users names and passwords was compromised yesterday, July 11."

To attempt to dispel fears about the publicly-released and widely available document, the statement goes on to say, "Of these, less than five per cent of the Yahoo accounts had valid passwords."

Computing can confirm that, of a random sample of just five passwords from the 450,000 available, three passwords were still active, though on expired accounts.

"We are taking immediate action by fixing the vulnerability that led to the disclosure of this data, changing the passwords of the affected Yahoo! users and notifying the companies whose users accounts may have been compromised. We apologise to all affected users," Yahoo's statement ended.

Original story:

Yahoo has said it is looking into "claims of a compromise" after a hacking group calling itself D33Ds Company released a list of Yahoo users' logins, comprising usernames and passwords, to its own website.

The document, which lists the critical information in raw text format, comprises 453,491 username and password sets, and is freely available on D33D Company's website and various mirrors. It is entitled "Owned and Exposed".

The document ends with a quote from Canadian philosopher Jean Vanier, reading, "Growth begins when we begin to accept our own weakness."

Explaining its motives, the group said in a statement: "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat.

"There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly. The subdomain and vulnerable parameters have not been posted to avoid further damage."

Computing has been promised an update from Yahoo's UK & Ireland press office concerning the company's progress with its investigations, but so far no new information has appeared beyond the admission that there is a problem.

Mike Newman,CEO of security firm my1login, said, "We are seeing the frequency of high-profile hacking incidents escalate and I can only see that pattern continuing to build."

Newman's advice to users is to keep passwords fresh and varied: "It is no longer defensible to use the same password on every site and it is critical that unique long and complex passwords containing a mixture of letters and numbers are used by the public to protect themselves."

The attack follows a similar high-profile breach of LinkedIn last month.